Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Infected while helping :(

06 Mar 2011   #1
Orbital Shark

Infected while helping :(

While searching for a solution to a problem poster here on sevenforums I found an answer that was close to what I needed, it was on another tech forum. Only thing was as soon as I closed the page down I was informed by MSE that I was infected.

After a full system scan, and some 750,000 files checked it reported to have remove 3 severe threats.

Infected while helping :(-mse.png

I then thought I'd check Task Manager to see if anything untoward was running and to my surprise I was faced with several processed with an 'Installer' description. Needless to say I immediately killed all suspect processes and deleted all temporary files from both


I then performed a reboot and all seemed well until the processes appeared once again so I downloaded MalwareBytes and performed a Quick Scan and again, I was faced with threats.

Below Is a copy of the log...
Malwarebytes' Anti-Malware
Database version: 5976
Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8080.16413
06/03/2011 21:25:24
mbam-log-2011-03-06 (21-25-24).txt
Scan type: Quick scan
Objects scanned: 189694
Time elapsed: 2 minute(s), 54 second(s)
Memory Processes Infected: 12
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 16
Memory Processes Infected:
c:\Users\Jeff\AppData\Local\Temp\WinSATa.exe (Trojan.Agent) -> 4524 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\WinSATa.exe (Trojan.Agent) -> 6004 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\atibtmonb.exe (Trojan.Agent) -> 4028 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\atibtmonb.exe (Trojan.Agent) -> 6092 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\klista.exe (Trojan.Agent) -> 2368 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\klista.exe (Trojan.Agent) -> 6068 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\forfilesb.exe (Trojan.Agent) -> 5692 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\forfilesb.exe (Trojan.Agent) -> 4444 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\odbcconfb.exe (Trojan.Agent) -> 4796 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\odbcconfb.exe (Trojan.Agent) -> 5336 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\logagenta.exe (Trojan.Agent) -> 6048 -> Unloaded process successfully.
c:\Users\Jeff\AppData\Local\Temp\logagenta.exe (Trojan.Agent) -> 5964 -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost (Spyware.Passwords.XGen) -> Value: conhost -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\Jeff\AppData\Local\Temp\WinSATa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\atibtmonb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\klista.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\forfilesb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\odbcconfb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\logagenta.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\microsoft\conhost.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\dwm.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\calca.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\fixmapia.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\ocsetupa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\printa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Jeff\AppData\Local\Temp\psra.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
Quite a lost really as I'm a very careful browser.

I have one main question...

If MSE detected a threat file after closing the browser page why did it not detect that the file was attempting to be downloaded to c:\windows\system32?

From that stems another one...

Why did it then allow for other files to embed themselves into Task Manager Registry and my temp locations?

Is it not the job of AntiVirus & Internet Security to do exactly what their name intends? Especially as 1 of the severe threats was months old (see info below).


Encyclopedia entry
Updated: Nov 25, 2010 | Published: Jun 04, 2010

  • Swisyn.s (McAfee)
  • Trojan.Win32.Swisyn.jyb (Kaspersky)
  • W32.Changeup!gen (Symantec)
Alert Level (?)


My System SpecsSystem Spec
06 Mar 2011   #2
Microsoft MVP

Windows 7 Ult. x64

Holy Crap! Sorry about that.....the replies will be interesting. Did you manage to clean your system?

My System SpecsSystem Spec
06 Mar 2011   #3

Microsoft Community Contributor Award Recipient

Windows 7 x64

This is why I browse with firefox running the noscript plugin. It's a bit problematic but very secure if you actually know what you're doing with it.
Injections are just too easy to make...
My System SpecsSystem Spec

06 Mar 2011   #4

Windows 7 Home Premium x64 SP1

Another MSE swing and miss. It's gotta be the most over rated AV on the planet. MBAM, HMP, SAS, NPE, Housecall are what I would start with, and hopefully all of those will work.....Good luck, and time to rethink your antivirus!
My System SpecsSystem Spec
06 Mar 2011   #5

Windows 7 Professional 64 Bit SP1

Yes it is, the web of trust addon is also helpful.

Quote   Quote: Originally Posted by Maguscreed View Post
This is why I browse with firefox running the noscript plugin. It's a bit problematic but very secure if you actually know what you're doing with it.
Injections are just too easy to make...
Wow, that's one hell of a attack there, I hope you get it all cleared out.
My System SpecsSystem Spec
06 Mar 2011   #6
The Howling Wolves

Windows 7 Home Premium 64bit

I use WOT all the time when going to new places along with the favorites MBAM, SAS, and WinPatrol.
Yes it is an overkill but you don't see me asking for BSOD help.
My System SpecsSystem Spec
06 Mar 2011   #7

Windows 7 Professional 64 Bit SP1

Prevention (for the most part) is better than a cure :) WOT really helps you avoid making a bad move.

Quote   Quote: Originally Posted by The Howling Wolves View Post
I use WOT all the time when going to new places along with the favorites MBAM, SAS, and WinPatrol.
Yes it is an overkill but you don't see me asking for BSOD help.
My System SpecsSystem Spec
06 Mar 2011   #8
I be he

Win 7 64 premium

Greetings.................... 1st, there is no such thing as "safe surfing, just use your common sense" anymore. 2nd A/V's wont protect you like they use too anymore either. 3rd, Please for the love of pete download and use Sandboxie for all your surfing needs from now on. I have never ever heard of any malware being able to get past sandboxie, so dont say you werent warned. Oh yea, its good enough to use all by itself.
My System SpecsSystem Spec
06 Mar 2011   #9

Main - Windows 7 Pro SP1 64-Bit; 2nd - Windows Server 2008 R2

I had a friend who died after getting infected while helping someone.

(His wife killed him.)
My System SpecsSystem Spec
06 Mar 2011   #10

Windows 7 Ultimate (64 bit)


Take the following steps to help prevent infection on your system:

  • Enable a firewall on your computer.
  • Get the latest computer updates for all your installed software.
  • Use up-to-date antivirus software.
  • Use caution when opening attachments and accepting file transfers.
  • Use caution when clicking on links to Web pages.
  • Avoid downloading pirated software.
  • Protect yourself against social engineering attacks.
  • Use strong passwords.
My System SpecsSystem Spec

 Infected while helping :(

Thread Tools

Similar help and support threads
Thread Forum
BSODīs and nothing is helping
Hello I have been having BSOD problems since i built my computer about 1 and a half years ago and I have been trying everything i can imagine to fix it. I am running a full retail Win 7 Os that i have been using since i built the computer but i have been forced to re install it a few times last...
BSOD Help and Support
Helping the Stupid
So, since my searchfu seems to not be with me, I thought I'd seek advice on my biggest concern with windows 7: Shutting down. I'm an IT Guy, and as such, avoid the mouse as much as possible. Key strokes are infinitely faster. However, I've found myself in a bind now: I can't do my classic "Hit...
General Discussion
this is what the forum is all about (helping others)
i would like to let the forum no how this responce from citylady makes it all worth while helping people with problems her original message to me Completely stressed out CityLady Thank you again for helping my...
Chillout Room

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Đ Designer Media Ltd

All times are GMT -5. The time now is 20:16.
Twitter Facebook Google+